Contact Us

Phone
0488 621 010

Email
anthony@tlmcyber.com

Address

Online Enquiry

* Required fields

Cyber Security Compliance and The Law

Author: Anthony Michael

Cyber Security compliance can be a confusing topic. In an ever-changing digital landscape how can you be sure that you’re doing all that you can to have your data protected, and what are you required to do under Australian law. In this article were going to give an overview of some of the key things you have to keep in mind when designing, updating, and carrying out your cyber security strategy. The three main areas of focus are: The Australian Privacy Act, The Notifiable Data Breach Scheme, and Payment Card Industry Data Security Standard (PCI DSS) compliance.

First, let’s look at The Australian Privacy Act.

The Privacy Act of 1998 regulates how personal information is handled and includes 13 areas known as the Australian Privacy Principals (APP) that outline how to handle, use, and manage personal information.

They apply to:

  • Most Australian Government agencies
  • All private sector and not-for-profit organisations with an annual turnover of greater than AUD$3 million
  • All private health service providers, and
  • Some small businesses.

Under the Australian Privacy Act organisations must take active measures to ensure the security of the personal information that they hold.

Below is an image oaic.gov.au (the Office of The Australian Information Commissioner) showing the 13 Privacy Principals.

Next Let’s take a look at the Notifiable Data Breach Scheme:

On the 22nd of February of 2018 the Notifiable Data Breach Scheme (NDB) came into effect – This scheme aims to ensure better protection for the public when a data breach has occurred. The scheme applies to any company or organisation that has a turnover of AUD$3 Million or more.

Under this scheme any unauthorised access of data by an employee of the company, independent contractor, or third party must be reported to the Office of the Australian Information Commissioner. They must also directly inform the people whose information has been exposed in order to give them a chance to protect themselves from the serious effects of an information hack.

Some of the types of data that fall under this scheme include:

  • Bank account information
  • Credit card details
  • Medical records, and
  • Identification documents.

So making sure that you understand the parameters of your network, the information contained within it, and how you are notified of a Data Breach as an organisation is crucial to being able to comply with these legal requirements.

Lastly lets take a look at the Payment Card Industry Data Security Standard (PCI-DSS).

Launched in 2006 to manage the risks around the PCI these security standards were developed and adopted by almost all major payment card brands (Visa, MasterCard, American Express) and apply to all companies that accept, process, store, and transmit credit card information.

Complying with PCI DSS extremely important and Failure to do so can result in fines up to $100,000 per month of non-compliance and may even result in termination of your ability to use their services to take payments at all – completely halting your business continuity.

Under this scheme, depending on the volume of card payments that your business handles, you are sorted into one of 4 Merchant Levels:

  1. Over 6M in transactions per year
  2. Between 1M-6M In transactions per year
  3. Between 20,000 and 1M in e-commerce transactions per year
  4. or Fewer than 20,000 in e-commerce and up to 1M in transactions per year regardless of acceptance channel.

Once your merchant level has been established you are expected to either pass a regular in person audit (this is for larger organisations) or (more likely) sign an Attestation of Compliance (AOC) on a yearly basis.

In order to meet the requirements for an AOC you must have done (in most cases) 2 things:

  1. Passed a vulnerability scan from an Approved Scanning Vendor (ASV) – these determine how vulnerable your external facing system is
  2. Complete a Self Assessed Questionnaire (SAQ) with supporting evidence of the data you provide.

The SAQ’s come in multiple forms – so make sure that you are being assessed against the correct standard for your business as the degree of difficulty to complete them can vary wildly in scope. From SAQ-D that has hundreds of requirements to complete, to SAQ-A that has only a few dozen.

While it all seems very complicated managing your PCI DSS compliance is just a matter of strategy – and can be easily handled with the right systems in place.

Hopefully this article has helped with your understanding of some of the things you need to know when it comes to the Cyber Security requirements you must abide as an operational organisation.

And remember: If you have any questions or would like an assessment of your compliance levels  – please get in contact with us. Were always here to help.